At 00:28 28/03/2017 Tuesday, Richard Barnes wrote: >Thanks, Roland. Interesting draft. > >Couple of first reactions: > >- Why use the target of the PTR instead of just provisioning the TXT record >directly in the reverse DNS.  (Is there some restriction in the spec for >reverse DNS that says it's only PTR?)  It seems like by using the PTR target, >your security analysis gets much more complicated.
i can see sense here as getting an isp to point a customers ptrs at a set of names is easy (getting many to put anything else in a in-addr.arpa zone is non-simple as many use horrible front ends with limited options) as smaller customers have no direct control over ptr-zones but achieve control via isp (or cname as ptr to zone they can control) such as mine 106.238.120.193.ptr.narrowpoint.com >- For the re-use of "http-01", you should probably specify the contents of the >Host header. Â (Main ACME should probably clarify that for DNS, if it's not >clear already.) i would hope the host header would be the ip as its the ip being authenticated so a cert covering https://xxx.xxx.xxx.xxx can be genereated (as personally id like to be able to add the ips to the san cert (even though the ip normally just serves an impolite error suggesting the 'bot-usually' try probing elsewhere ;) >On Mon, Mar 27, 2017 at 4:38 PM, Roland Shoemaker ><<mailto:[email protected]>[email protected]> wrote: >Probably of interesting to some people here, would love to hear your >thoughts. > >-------- Forwarded Message -------- >Subject: New Version Notification for draft-shoemaker-acme-ip-00.txt >Date: Mon, 27 Mar 2017 13:30:19 -0700 >From: <mailto:[email protected]>[email protected] >To: Roland Bracewell Shoemaker ><<mailto:[email protected]>[email protected]>, Roland >Shoemaker <<mailto:[email protected]>[email protected]> > > >A new version of I-D, draft-shoemaker-acme-ip-00.txt >has been successfully submitted by Roland Bracewell Shoemaker and posted >to the >IETF repository. > >Name:Â Â Â Â Â Â draft-shoemaker-acme-ip >Revision:Â Â Â Â 00 >Title:Â Â Â Â Â ACME IP Identifier Validation Extension >Document date:Â 2017-03-27 >Group:Â Â Â Â Â Individual Submission >Pages:Â Â Â Â Â 6 >URL: ><https://www.ietf.org/internet-drafts/draft-shoemaker-acme-ip-00.txt>https://www.ietf.org/internet-drafts/draft-shoemaker-acme-ip-00.txt >Status:Â Â Â Â Â ><https://datatracker.ietf.org/doc/draft-shoemaker-acme-ip/>https://datatracker.ietf.org/doc/draft-shoemaker-acme-ip/ >Htmlized:Â Â Â Â ><https://tools.ietf.org/html/draft-shoemaker-acme-ip-00>https://tools.ietf.org/html/draft-shoemaker-acme-ip-00 >Htmlized: ><https://datatracker.ietf.org/doc/html/draft-shoemaker-acme-ip-00>https://datatracker.ietf.org/doc/html/draft-shoemaker-acme-ip-00 > > >Abstract: >Â Â This document specifies identifiers and challenges required to enable >Â Â the Automated Certificate Management Environment (ACME) to issue >Â Â certificates for IP addresses. > > > > >Please note that it may take a couple of minutes from the time of submission >until the htmlized version and diff are available at ><http://tools.ietf.org>tools.ietf.org. > >The IETF Secretariat > >_______________________________________________ >Acme mailing list ><mailto:[email protected]>[email protected] >https://www.ietf.org/mailman/listinfo/acme > > >_______________________________________________ >Acme mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
